The C rules and recommendations in this wiki are a work in progress and reflect the current thinking of the secure coding community. Because this is a development website, many pages are incomplete or contain errors. As rules and recommendations mature, they are published in report or book form as official releases. These releases are issued as dictated by the needs and interests of the secure software development community.

As of 9/28/2018, the CERT manifest files are now available for use by static analysis tool developers to test their coverage of (some of the) CERT Secure Coding Rules for C, using many of 61,387 test cases in the Juliet test suite v1.2.

Secure Coding in C and C++ identifies the root causes of today's most widespread software vulnerabilities, shows how they can be exploited, reviews the potential consequences, and presents secure alternatives.

We acknowledge the contributions of the following folks, and we look forward to seeing your name here as well.

Rules vs. Recomendations

This coding standard consists of rules and recommendations, collectively referred to as guidelines. Rules are meant to provide normative requirements for code, whereas recommendations are meant to provide guidance that, when followed, should improve the safety, reliability, and security of software systems. Learn more about the differences.

Linking to Our Pages

Link to guidelines using the Tiny Link under Tools→Link to this Page... (This URL will not change if the name of the guideline changes.)

Information for Editors

To eliminate a section from the lists above, label it section and void.

To have a section listed as a recommendation, label it section and recommendation.

1 Comment

Try to post comments on leaf nodes, or as close as possible. If you have a comment about a specific rule or recommendation, for example, please post a comment on that page. If you think that we should add a new rule or recommendation to a particular section, please post a comment on the section heading.